---
apiVersion: batch/v1
kind: Job
metadata:
  name: plugin-db-updater-job
  labels:
    jobgroup: plugin-db-updater
spec:
  ttlSecondsAfterFinished: 10
  template:
    metadata:
      name: plugin-db-updater-job
      labels:
        jobgroup: plugin-db-updater
    spec:
      containers:
      - name: updater
        image: cloud-plugin-load_db:latest
        command: ["/busybox/sh", "-c"]
        args:
        - |
            trap "touch /tmp/pod/terminated" EXIT
            src/cloud/plugin/load_db/load_db_/load_db
        envFrom:
        - configMapRef:
            name: pl-db-config
        - configMapRef:
            name: pl-domain-config
        - configMapRef:
            name: pl-tls-config
        volumeMounts:
        - mountPath: /tmp/pod
          name: tmp-pod
        - name: certs
          mountPath: /certs
        env:
        - name: PL_POSTGRES_USERNAME
          valueFrom:
            secretKeyRef:
              name: pl-db-secrets
              key: PL_POSTGRES_USERNAME
        - name: PL_POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: pl-db-secrets
              key: PL_POSTGRES_PASSWORD
        - name: PL_JWT_SIGNING_KEY
          valueFrom:
            secretKeyRef:
              name: cloud-auth-secrets
              key: jwt-signing-key
        - name: PL_PLUGIN_SERVICE
          valueFrom:
            configMapKeyRef:
              name: pl-service-config
              key: PL_PLUGIN_SERVICE
        - name: PL_PLUGIN_REPO
          value: "pixie-io/pixie-plugin"
      # yamllint disable-line rule:line-length
      - image: b.gcr.io/cloudsql-docker/gce-proxy:1.14@sha256:96689ad665bffc521fc9ac3cbcaa90f7d543a3fc6f1c84f81e4148a22ffa66e0
        name: cloudsql-proxy
        command: ["/bin/sh", "-c"]
        envFrom:
        - configMapRef:
            name: pl-db-config
        args:
        - |
            /cloud_sql_proxy \
            -instances=${PL_POSTGRES_INSTANCE}=tcp:${PL_POSTGRES_PORT} \
            -ip_address_types=PRIVATE \
            -credential_file=/secrets/cloudsql/db_service_account.json & CHILD_PID=$!
            (while true; do if [[ -f "/tmp/pod/terminated" ]]; then kill $CHILD_PID;
            echo "Killed $CHILD_PID because the main container terminated."; fi; sleep 1; done) &
            wait $CHILD_PID
            if [[ -f "/tmp/pod/terminated" ]]; then exit 0; echo "Job completed. Exiting..."; fi
        volumeMounts:
        - name: pl-db-secrets
          mountPath: /secrets/cloudsql
          readOnly: true
        - mountPath: /tmp/pod
          name: tmp-pod
          readOnly: true
        securityContext:
          runAsUser: 2  # non-root user
          allowPrivilegeEscalation: false
      restartPolicy: Never
      volumes:
      - name: pl-db-secrets
        secret:
          secretName: pl-db-secrets
      - name: certs
        secret:
          secretName: service-tls-certs
      - name: tmp-pod
        emptyDir: {}
  backoffLimit: 1
  parallelism: 1
  completions: 1
